Sunday, December 20, 2015

How to prevent Phishing ?

What is Phishing ?

Phishing is a technique used by
attackers to acquire sensitive information like username, passwords,
credit card numbers etc of victims for using those information in
malicious purposes. Generally the attackers masquerade them to be
trustworthy entity and communicate the victims in an electronic
communication, convincing them to provide sensitive information.

The term Phishing is obtained as a
homophone of fishing, as the attackers use fake bait to trap victims.

We see the first example of Phishing
back in 1995. Attackers used to pose to be AOL company
representatives and contact AOL users saying “to verify account”
or “confirm billing information”. Some users would get trapped
and provide sensitive information like account number, password,
credit card etc. Lots of AOL users were victims. Eventually, AOL's
policy was enforced against Phishing and lots of steps were taken,
which almost stopped the illegal activities. But, since then on,
attackers started applying many new fraudulent techniques and now
also they trap many victims.

Different Types of Phishing

There are mainly four different types
of Phishing.

Sometimes, the attackers do not target
any individual victim as such. Instead, they masquerade them to be
trustworthy authority and send fraudulent emails to thousands of
recipients together. Some of them fall in trap and end up providing
sensitive information.

But, sometimes individuals or a company
are targetted seperately. This is called Spear Phishing. This
is reported to be the most widely used Phishing technique.

In one Phishing technique, attackers
copy a legitimate email sent by actual authority and replace the
links with the fraudulent website. They also change the sender email
id to look like that of the trustworthy entity and claim to be an
updated version of the original email. Lots of victims cannot detect
this fraudulent techniques and fall in trap, ending up in providing
sensitive information visiting the fraudulent links provided by the
attackers. This is called Clone Phishing.

In another Phishing technique,
attackers target senior executives. They send emails claiming to be
customer complaint or executive issue or even legal subpoena. The
emails contain fraudulent links which look real, but actually they
collect sensitive information. Sometimes, the emails also ask to
install some software from the link to visit the email and trap the
victims. This is called Whaling.

Different Techniques Used in Phishing

The attackers use various techniques
for Phishing. Some mostly used techniques are mentioned below.

Attackers sometimes use images
containing texts instead of plain texts in emails. As a result, it
becomes much harder for anti-phishing software to detect the
Phishing. But, today many anti-phishing filters use OCR or Optical
Character Recognition to detect texts inside images and filter them.

Sometimes, the attackers use javascript
to change address bar and place a legitimate iage of actual URL over
the address bar. As a result, once the victims click on the
fraudulent links, it becomes very difficult for them to understand
the deception.

Sometimes the attackers corrupt the
actual officcial website and once a user visits the website, a
fraudulent pop-up appears asking them to provide sensiive information
like account name, password etc. Just to give a more specific
example, a user might click on a link appear to be coming from
official networking website and while clicking on it, it might ask,
whether the user wants to authorize the appplication. If a user
clicks on “yes”, it may send a token to the attackers containing
sensitive information like mail-id, friend list etc. This sort of
Phishing is called Covert Redirect and it is much harder to
detect.

In Tabnabbing, the attackers
load a webpage of their fraudulent website in one of the open tabs of
the victim and silently redirect him to the fraudulent website to
steal sensitive information.

Attackers can also use Pharming to redirect legitimate traffic to a malicious website covertly and use it for phishing (What is Pharming ?).

And some attackers are even more evil.
They create a wifi network looking identical to an official public
wifi network. Some users cannot detect the difference and they start
using the fraudulent network. And, whatever unencrypted information
gets transferred through the network gets stolen. (How to deal with Evil Twin ?)

How to prevent Phishing ?

We can educate ourselves
to be aware of the most common Phishing techniques, so that we do not
fall in trap. Here, I am writing down few steps that can easily be
taken by anyone :

If a user is contacted to verify
or confirm his account, it contains at least the username. So, if
you get such email which do not contain any personal information,
especially your username, it is most likely a Phishing email. If you
are still doubtful, contact the authority directly, instead of
clicking on any link on the email.

If a bank contacts you, it will
use at least few digits of your account number, masking the other
digits. So, if you get an email asking for account verification etc
and it does not contain any digits of your account number, it is
most likely a Phishing email. Instead of clicking on any link on
that email, directly contact the bank and verify its authenticity.

Use trusted security software and
update it regularly.

Update the software you use in
your computer with recent security patches. Attackers often use
security holes in common software to perform all these attacks.

Do not click on any link if you
are not very sure of its trustworthiness. It may cost you heavily.

If you get fake phone calls, take
down the caller's information and report it to local authority.

If you get spam emails in your
inbox, select the email and mark it as spam. Normally, machine
learning is used to detect spams in inbox. So, more you help the
software in detecting spams, the more the software will help you in
future to detect spams. (How are spamtraps used to detect spam emails automatically ?)

Purpose of Phishing

The attackers use so much deception to
collect personal information, but what do they do with that ?

Sometimes the attackers do collect bank
information etc to steal money. But mostly, this personal information
are sold to other software attackers for money. So many times we hear
about various attacks, have we ever wondered how do the attackers
target victims ?

So, follow the simple rules stated
above and never, ever reply to any fraud emails. Sometimes, these
emails are sent in bulk and if you send a reply, it would at least
confirm the attackers that your email id is a valid one. So, you may
end up getting even more fraudulent emails later, if not anything
else. And stay safe, stay protected.

2 comments:

Here is another step that can be taken.Ask your bank, your insurance company etc to deploy DMARC (www.dmarc.org)Companies likes Paypal, Twitter, Facebook, Netflix, UPS, DHL, LinkedIn and many others have been using DMARC for years to protect it's customers from phishing.